Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

1

dridex

windows10-2004-x64

10

Analysis

  • max time kernel
    60s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01/04/2023, 06:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe

  • Size

    530KB

  • MD5

    30843c7d717e1963ac1011dd3a24688c

  • SHA1

    8e372226bb0c5bcf09966e0914f9eab64e45fcb8

  • SHA256

    55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077

  • SHA512

    b5cbe97b166dd8bfe80d188dbe4acbb931242477dde0347c60fe0792fade23d4b14c8b70c99497302480f0617f320685a50584d00e33d252a914de81fde516b0

  • SSDEEP

    12288:GMrwy90HtDAxPm1Q9yUStQLJtUbshFnSw:iyItePmG9k8tUbESw

Score
10/10
redlinerosnsporadiscoveryevasioninfostealerpersistencespywarestealertrojan

Malware Config

Extracted

Family

redline

Botnet

rosn

C2

176.113.115.145:4125

Attributes
  • auth_value

    050a19e1db4d0024b0f23b37dcf961f4

Extracted

Family

redline

Botnet

spora

C2

176.113.115.145:4125

Attributes
  • auth_value

    441b39ab37774b2ca9931c31e1bc6071

Signatures

  • Modifies Windows Defender Real-time Protection settings 3 TTPs 6 IoCs
    evasiontrojan
  • RedLine

    RedLine Stealer is a malware family written in C#, first appearing in early 2020.

    infostealerredline
  • RedLine payload 33 IoCs
  • Executes dropped EXE 4 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Windows security modification 2 TTPs 1 IoCs
    evasiontrojan
  • Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
    spyware
  • Adds Run key to start application 2 TTPs 4 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe
    "C:\Users\Admin\AppData\Local\Temp\55a19528717a6c4c7b21caf61989aba8338ed7b12bacd69b5bc97526bfc9c077.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:3536
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDD7673.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDD7673.exe
      2⤵
      • Executes dropped EXE
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:548
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr198355.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr198355.exe
        3⤵
        • Modifies Windows Defender Real-time Protection settings
        • Executes dropped EXE
        • Windows security modification
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2120
      • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku525755.exe
        C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku525755.exe
        3⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3648
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3648 -s 968
          4⤵
          • Program crash
          PID:384
    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr516330.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr516330.exe
      2⤵
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2516
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3648 -ip 3648
    1⤵
      PID:2544

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr516330.exe
      Filesize

      176KB

      MD5

      dd637182ef40911cc67d920ab27f3d1b

      SHA1

      a06be16ab563b42e7e42d04f2a6e8cb196ea9d9e

      SHA256

      137b173aea38c3c9dcfa3742a8b3c5790a12f4fb03892e1c7ca8ef9f2b66f87a

      SHA512

      1e1ae5f45bed72acd75ff16662b522285fbdf557daf84939b4fb711d9f0f2b08313030f5135154ab82d66820257e795246b2f36e58e516504031d4f01b2f8a8c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\lr516330.exe
      Filesize

      176KB

      MD5

      dd637182ef40911cc67d920ab27f3d1b

      SHA1

      a06be16ab563b42e7e42d04f2a6e8cb196ea9d9e

      SHA256

      137b173aea38c3c9dcfa3742a8b3c5790a12f4fb03892e1c7ca8ef9f2b66f87a

      SHA512

      1e1ae5f45bed72acd75ff16662b522285fbdf557daf84939b4fb711d9f0f2b08313030f5135154ab82d66820257e795246b2f36e58e516504031d4f01b2f8a8c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDD7673.exe
      Filesize

      387KB

      MD5

      27f8e6363dce659b324e5641c30709d7

      SHA1

      515547036fd23b95f32aea8e06f43582c811b4e3

      SHA256

      32736e819f75e26afd8ec27d0df553bf9a9f6efa8b8d179e87e8c5b0f820d3e2

      SHA512

      04b550867799a702a72464e5ebbc48f9007ffc7848f0e35dd479d62d5dec1c198292d0c3401b235680dd33744f3aeda1b7074b727541f70de70f1d95c363bdd9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ziDD7673.exe
      Filesize

      387KB

      MD5

      27f8e6363dce659b324e5641c30709d7

      SHA1

      515547036fd23b95f32aea8e06f43582c811b4e3

      SHA256

      32736e819f75e26afd8ec27d0df553bf9a9f6efa8b8d179e87e8c5b0f820d3e2

      SHA512

      04b550867799a702a72464e5ebbc48f9007ffc7848f0e35dd479d62d5dec1c198292d0c3401b235680dd33744f3aeda1b7074b727541f70de70f1d95c363bdd9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr198355.exe
      Filesize

      12KB

      MD5

      4f6cfc203061090123f931df9e71ecb3

      SHA1

      61375f4b936d63d7df13f64fdb93a31df71d0f97

      SHA256

      a00fbafce8da0da20272c61a9a44f57de2cfca88a56cfbdf7fb6bcc2e59b2501

      SHA512

      821141ea539f88d2f920cca3ad6d7dc94b38397af91807a8acb47ab90872fd6eb20fe62a93395946c50a6d0e5e9fc224ff184ad088782722a6d611add121f2d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\jr198355.exe
      Filesize

      12KB

      MD5

      4f6cfc203061090123f931df9e71ecb3

      SHA1

      61375f4b936d63d7df13f64fdb93a31df71d0f97

      SHA256

      a00fbafce8da0da20272c61a9a44f57de2cfca88a56cfbdf7fb6bcc2e59b2501

      SHA512

      821141ea539f88d2f920cca3ad6d7dc94b38397af91807a8acb47ab90872fd6eb20fe62a93395946c50a6d0e5e9fc224ff184ad088782722a6d611add121f2d8

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku525755.exe
      Filesize

      342KB

      MD5

      d6b2fcb1ce832c7b837174422f922bbd

      SHA1

      62fd2dd22bcbe3b84dbf8d3bcec855ab73475aeb

      SHA256

      33aa92f22b35598001bd733affa0a18c7cae0ccbb8ec9530325547ca9e1e9954

      SHA512

      3c8a47c7bce7507c0b0b947054092e72ba0ce5093087d82177d3888964a72b7380450916322c42fe53e2aacc286cb268c8a97f3b7d3e9b6dbafda7ce7e3a8e9d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\ku525755.exe
      Filesize

      342KB

      MD5

      d6b2fcb1ce832c7b837174422f922bbd

      SHA1

      62fd2dd22bcbe3b84dbf8d3bcec855ab73475aeb

      SHA256

      33aa92f22b35598001bd733affa0a18c7cae0ccbb8ec9530325547ca9e1e9954

      SHA512

      3c8a47c7bce7507c0b0b947054092e72ba0ce5093087d82177d3888964a72b7380450916322c42fe53e2aacc286cb268c8a97f3b7d3e9b6dbafda7ce7e3a8e9d

      Download Submit

    • memory/2120-147-0x0000000000C00000-0x0000000000C0A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2516-1086-0x0000000000680000-0x00000000006B2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2516-1087-0x0000000005240000-0x0000000005250000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2516-1088-0x0000000005240000-0x0000000005250000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3648-189-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-203-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-156-0x0000000007320000-0x0000000007330000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3648-157-0x0000000007320000-0x0000000007330000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3648-158-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-161-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-163-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-159-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-165-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-167-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-169-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-171-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-173-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-175-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-177-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-179-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-181-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-183-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-185-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-187-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-155-0x0000000007320000-0x0000000007330000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3648-191-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-193-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-195-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-197-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-199-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-201-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-154-0x00000000047B0000-0x00000000047FB000-memory.dmp

      Filesize

      300KB

      Download

    • memory/3648-205-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-207-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-209-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-211-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-213-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-215-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-217-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-219-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-221-0x0000000004B30000-0x0000000004B6F000-memory.dmp

      Filesize

      252KB

      Download

    • memory/3648-1064-0x00000000078E0000-0x0000000007EF8000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/3648-1065-0x0000000007F00000-0x000000000800A000-memory.dmp

      Filesize

      1.0MB

      Download

    • memory/3648-1066-0x0000000007280000-0x0000000007292000-memory.dmp

      Filesize

      72KB

      Download

    • memory/3648-1067-0x0000000007320000-0x0000000007330000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3648-1068-0x00000000072A0000-0x00000000072DC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3648-1070-0x0000000008280000-0x0000000008312000-memory.dmp

      Filesize

      584KB

      Download

    • memory/3648-1071-0x0000000008320000-0x0000000008386000-memory.dmp

      Filesize

      408KB

      Download

    • memory/3648-1072-0x0000000007320000-0x0000000007330000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3648-1073-0x0000000007320000-0x0000000007330000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3648-1074-0x0000000007320000-0x0000000007330000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3648-1075-0x0000000007320000-0x0000000007330000-memory.dmp

      Filesize

      64KB

      Download

    • memory/3648-153-0x0000000007330000-0x00000000078D4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/3648-1076-0x0000000008C80000-0x0000000008CF6000-memory.dmp

      Filesize

      472KB

      Download

    • memory/3648-1077-0x0000000008D10000-0x0000000008D60000-memory.dmp

      Filesize

      320KB

      Download

    • memory/3648-1078-0x0000000008DA0000-0x0000000008F62000-memory.dmp

      Filesize

      1.8MB

      Download

    • memory/3648-1079-0x0000000008F70000-0x000000000949C000-memory.dmp

      Filesize

      5.2MB

      Download